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The Plan Execution Interchange Language (PLEXIL) is a synchronous language developed by NASA 
to support autonomous spacecraft operations. In this paper, we propose a rewriting logic semantics 
of PLEXIL in Maude, a high-performance logical engine. The rewriting logic semantics is by itself a 
formal interpreter of the language and can be used as a semantic benchmark for the implementation of 
PLEXIL executives. The implementation in Maude has the additional benefit of making available to 
PLEXIL designers and developers all the formal analysis and verification tools provided by Maude. 
The formalization of the PLEXIL semantics in rewriting logic poses an interesting challenge due to 
the synchronous nature of the language and the prioritized rules defining its semantics. To overcome 
this difficulty, we propose a general procedure for simulating synchronous set relations in rewriting 
logic that is sound and, for deterministic relations, complete. We also report on two issues at the 
design level of the original PLEXIL semantics that were identified with the help of the executable 
specification in Maude. 



1 Introduction 

Synchronous languages were introduced in the 1980s to program reactive systems, i.e., systems whose 
behavior is determined by their continuous reaction to the environment where they are deployed. Syn- 
chronous languages are often used to program embedded applications and automatic control software. 
The family of synchronous languages is characterized by the synchronous hypothesis, which states that 
a reactive system is arbitrarily fast and able to react immediately in no time to stimuli from the external 
environment. One of the main consequences of the synchronous hypothesis is that components running 
in parallel are perfectly synchronized and cannot arbitrarily interleave. The implementation of a syn- 
chronous language usually requires the simulation of the synchronous semantics into an asynchronous 
computation model. This simulation must ensure the validity of the synchronous hypothesis in the target 
asynchronous model. 

The Plan Execution Interchange Language (PLEXIL) [9] is a synchronous language developed by 
NASA to support autonomous spacecraft operations. Space mission operations require flexible, efficient 
and reliable plan execution. The computer system on board the spacecraft that executes plans is called the 



executive and it is a safety-critical component of the space mission. The Universal Executive (UE) 1 20 1 
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is an open source PLEXIL executive developed by NASAQ PLEXIL and the UE have been used on mid- 
size applications such as robotic rovers and a prototype of a Mars drill, and to demonstrate automation 
for the International Space Station. 

Given the critical nature of spacecraft operations, PLEXIL's operational semantics has been formally 
defined [ 8 ] and several properties of the language, such as determinism and compositionality, have been 
mechanically verified (7| in the Prototype Verification System (PVS) p3| . The formal small-step seman- 
tics is defined using a compositional layer of five reduction relations on sets of nodes. These nodes are 
the building blocks of a PLEXIL plan and represent the hierarchical decomposition of tasks. The atomic 
relation describes the execution of an individual node in terms of state transitions triggered by changes 
in the environment. The micro relation describes the synchronous reduction of the atomic relation with 
respect to the maximal redexes strategy, i.e., the synchronous application of the atomic relation to the 
maximal set of nodes of a plan. The remaining three relations are the quiescence relation, the macro 
relation and the execution relation which describe the reduction of the micro relation until normaliza- 
tion, the interaction of a plan with the external environment, and the ^-iteration of the macro relation 
corresponding to n time-steps, respectively. From an operational point of view, PLEXIL is more com- 
plex than general purpose synchronous languages such as Esterel |2j or Lustre Q. PLEXIL is designed 
specifically for flexible and reliable command execution in autonomy applications. 

In this paper, we propose a rewriting logic semantics of PLEXIL in Maude [ 5 ] that complements 
the small-step structural operational semantics written in PVS. In contrast to the PVS higher-order logic 
specification, the rewriting logic semantics of PLEXIL is executable and it is by itself an interpreter of 
the language. This interpreter is intended to be a semantic benchmark for validating the implementation 
of PLEXIL executives such as the Universal Executive and a testbed for designers of the language to 
study new features or possible variants of the language. Additionally, by using a graphical interface p3| , 
PLEXIL developers will be able to exploit the formal analysis tools provided by Maude to verify prop- 
erties of actual plans. 

Rewriting logic is a logic of concurrent change in which a wide range of models of computation and 
logics can be faithfully represented. The rewriting semantics of a synchronous language such as PLEXIL 
poses interesting practical challenges because Maude implements the maximal concurrency of rewrite 
rules by interleaving concurrency. That is, although rewriting logic allows for concurrent synchronous 
specifications at the mathematical level, Maude executes the rewrite rules by interleaving concurrency. 
To overcome this situation, we develop a serialization procedure that allows for the simulation of a 
synchronous relation via set rewriting systems. This procedure is presented in a library of abstract set 
relations that we have written in PVS. The procedure is sound and complete for the synchronous closure 
of any deterministic relation under the maximal redexes strategy. 

We are collaborating with the PLEXIL development team at NASA Ames by using the rewriting 
logic semantics of PLEXIL to validate the intended semantics of the language against a wide variety of 
plan examples. We report on two issues of PLEXIL's original semantics that were discovered with the 
help of the rewriting logic semantics of PLEXIL presented in this paper: the first was found at the level 
of the atomic relation for which undesired interleaving semantics were introduced in some computations, 
and the second was found at the level of the micro relation for which spurious infinite loops were present 
in some computations. Solutions to both issues were provided by the authors, and have been adopted in 
the latest version of the PLEXIL semantics. 

Summarizing, the contributions presented in this paper are: 

• The rewriting logic specification of the PLEXIL semantics. 

'http : //plexil . sourcef orge .net 
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• A library of abstract set relations suitable for the definition and verification of synchronous rela- 
tions. 

• A serialization procedure for the simulation of synchronous relations by rewriting, and an equa- 
tional version of it in rewriting logic for deterministic synchronous relations. 

• The findings on two issues in the design of the original PLEXIL semantics, and the corresponding 
solutions that were adopted in an updated version of the language semantics. 

Outline of the paper. Background on rewriting logic, and the connection between this logic and Struc- 
tural Operational Semantics are summarized in Section [2] In Section [3] we present the library of set rela- 
tions, including the soundness and completeness proof of the serialization procedure. Section|4]describes 
the rewriting logic semantics of PLEXIL. In Section[5]we discuss preliminary results. Related work and 
concluding remarks are presented in Section [6] 

2 Rewriting Logic and Structural Operational Semantics 

Rewriting logic (TTJ is a general semantic framework that unifies in a natural way a wide range of models 
of concurrency. Language specifications can be executed in Maude, a high-performance rewriting logic 
implementation, and benefit from a wide set of formal analysis tools available to it, such as Maude's LTL 
Model Checker. 

A rewriting logic specification or theory is a tuple St = (L,EUA,R) where: 

• UA) is a membership equational logic theory with £ a signature having a set of kinds, a 
family of sets of operators, and a family of disjoint sets of sorts; E a set of Z-sentences, which 
are universally quantified Horn clauses with atoms that are equations {t = t') and memberships 
(t : s), with t,t' terms and s a sort; A a set of "structural" axioms (typically associativity and/or 
commutativity and/or identity) such that there exists a matching algorithm modulo A producing a 
finite number of A-matching substitutions; and 

• R a set of universally quantified conditional rewrite rules of the form 

(VX) r:t — ►f'if f\ui = u' A/\vj : SjA/\wi — > w\ 

i j I 

where X is a set of sorted variables, r is a label, t,t' ,K,-,wj,vy,w/ and w\ are terms with variables 
among those in X, and sj are sorts. 

Intuitively, 3% specifies a concurrent system, whose states are elements of the initial algebra T^/eua 
specified by the theory (T,,E UA) and whose concurrent transitions are. specified by the rules R. Concur- 
rent transitions are deduced according to the set of inference rules of rewriting logic, which are described 
in detail in [3 ] (together with a precise account of the more general forms of rewrite theories and their 
models). Using these inference rules, a rewrite theory St proves a statement of the form (VX) t — > t', 
written as St h (VX) t — > t', meaning that, in St, the state term t can transition to the state term t' in a 
finite number of steps. A detailed discussion of rewriting logic as a unified model of concurrency and its 
inference system can be found in fTT] . 

We have a one-step rewrite [t]EuA — >se Mbua in & iff we can find a term u 6 [t]s\jA such that u can 
be rewritten to v using some rule r : a — > bifC^Rin the standard way (see [6]), denoted u — >r v, 
and we furthermore have v £ [f'JsuA- For arbitrary E and R, whether [t]EuA — >st. Meua holds is in 
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general undecidable, even when the equations in E are confluent and terminating modulo A. Therefore, 
the most useful rewrite theories satisfy additional executability conditions under which we can reduce 
the relation [t]EuA — >.<%> [t']EUA to simpler forms of rewriting just modulo A, where both equality modulo 
A and matching modulo A are decidable. 

The first condition is that E should be terminating and ground confluent modulo A J6j. This means 
that in the rewrite theory B$ e /a = (^A^E), (i) all rewrite sequences terminate, that is, there are no infinite 
sequences of the form [h\ A — >^ E/A [t 2 ]A ■ ■ • [t n )A — >M E/A [tn+iU • • • , and (ii) for each [t] A G T L/A there is 
a unique A-equivalence class [can E / A (t)] A G T^u called the E -canonical form of [t] A modulo A such that 
there exists a terminating sequence of zero, one, or more steps [t] A — *% E A [ can E/A(0U- 

The second condition is that the rules R should be coherent [21] relative to the equations E modulo A. 
This precisely means that, if we decompose the rewrite theory 3% = (L,EUA,R) into the simpler theories 
&e/a = &A,E) and Mr/ a = (L,A,R), which have decidable rewrite relations — ^M E i A and — ^M R , A 
because of the assumptions of A, then for each A-equivalence class [t] A such that [t] A — >M R i A [ f 'U we can 
always find a corresponding rewrite [can^^)]^ — *M R i A [ f "U such that [can E / A (t')] A = [can E / A (t")] A . 
Intuitively, coherence means that we can always adopt the strategy of first simplifying a term to canonical 
form with E modulo A, and then apply a rule with R modulo A to achieve the effect of rewriting with R 
modulo EL) A. 

The conceptual distinction between equations and rules has important consequences when giving the 
rewriting logic semantics of a language L as a rewrite theory M E = (Ll,ElUAl,Rl)- Rewriting logic's 
abstraction dial |T2} captures precisely this conceptual distinction. One of the key features of Structural 
Operational Semantics is that it provides a step-by-step formal description of a language's evaluation 
mechanisms fT4} . Setting the level of abstraction in which the interleaving behavior of the evaluations 
in L is observable, corresponds to the special case in which the dial is turned down to its minimum 
position by having E E L)A E = 0. The abstraction dial can also be turned up to its maximal position as the 
special case in which R E = 0, thus obtaining an equational semantics of the language. In general, we can 
make a specification as abstract as we want by identifying a subset R' L C R L such that the rewrite theory 
(Ll, (ElL)R l ) L)Al,Rl\R'l) satisfies the executability conditions aforementioned. We refer the reader 
to p2][T6l|T9| for an in-depth presentation of the relationship between structural operational semantics 
and rewriting logic semantics, and the use of equations and rules to capture in rewriting logic the dynamic 
behavior of language semantics. 

The conceptual distinction between equations and rules also has important practical consequences for 
program analysis, because it affords massive state space reduction which can make formal analyses such 
as breadth-first search and model checking enormously more efficient. Because of state-space explosion, 
such analyses could easily become infeasible if we were to use a specification in which all computation 
steps are described with rules. 

3 A Rewriting Library for Synchronous Relations 

When designing a programming language, it is useful to be able to define its semantic relation, to for- 
mally prove properties of this relation and to execute it on particular programs. However, defining such a 
semantic relation and formally reasoning about it is generally difficult, time consuming, and error-prone. 
This would be a major endeavor if it had to be done from scratch for each language. Moreover, since 
programming languages tend to evolve constantly, tools must allow reusing parts of former developments 
to support rapid yet correct prototyping. 

Fortunately, small-step operational semantic relations are, in general, built from simple relations with 
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a limited number of operations, such as reflexive-transitive extension, reduction to normal form, parallel 
extension, etc. As a minimum, the framework should include a library containing the definitions of 
these operations and formal proofs of their properties. This will considerably reduce the amount of work 
needed to define the semantic relation of particular programming languages and to formally prove their 
properties. Defining the semantic relation of synchronous languages requires defining the synchronous 
extension of an atomic execution relation, an operation that has been much less studied formally than 
other relation operations such as the reflexive-transitive extension or the parallel extension. 

We present in this section a first attempt to design a framework for rapid yet correct prototyping 
of semantic relations, in particular of synchronous languages. This framework allows one to define 
semantic relations, to execute them on particular programs and to formally prove some of their properties 
using general theorems about the operations that permit to build relations from relations. We have been 
experimenting with this framework using various versions of the PLEXIL language (see Section|4]). 

The definitions and properties presented in Section 3.1 have been developed in PVS. The Maude 
engine is used for executing the semantic relations on particular programs. The full development of the 
framework, including the formal semantics of PLEXIL, is available from |nttp : / /research . nianet . | 
org/fm- at-nia/PLEXIL] 



3.1 Set Relations and Determinism 

Let — > be a binary relation on a set T. We say that a G T is a redex if there exists a' G T such that a — > a', 
and that it is a normal form otherwise. We denote by — > , — > n , and —y*, the identity relation, n-fold 
composition, and reflexive-transitive closure of — >, respectively. 

In addition to the above relations, we also define the normalized reduction relation — ^ of — K 

Normalized reduction a^a' if and only if a— >*a' and a' is a normal form. 

Henceforth, we assume that the relation — > is defined on sets over an abstract type T, i.e., — > C 
&(T) x & (T). We define the asynchronous extension of — >, denoted — >, as the congruence closure of 

— > and the parallel extension of — >, denoted — >, as the parallel closure of — >. 

Asynchronous extension a —t- a' if and only if there exist sets b and b' such that bCa,b^0,b^-b' 
and a! = (a \ b) U b' . 

Parallel extension a \ a' if and only if there exist b\,...,b n , nonempty, pairwise disjoint subsets of a, 
and sets b[,...,b' n such that bi — > b\ and a' = (a\ IJ,- bi) U (J, b \. 

The definition of a synchronous reduction requires the definition of a strategy that selects the redexes 
to be synchronously reduced. 

Strategy A strategy is a function mapping elements a G &(T) into bi,...,b n , nonempty, pairwise dis- 
joint subsets of a such that all bi are redexes for — h 

Synchronous extension Let s be a strategy, a A a' if and only if there exist b\ , . . . , b' n such that s(a) = 
{h,...,b n }, bi -»■ b\ and a' = (a\ U,A) U \JiK 

A natural way of defining strategies is via priorities. A priority is a function p that maps elements 
a G £P(T) into natural numbers. 
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Maximal redex Let a £ &(T) and let p be a priority function. A nonempty subset b of a is said to be 
a maximal redex of a if it is a redex, and for all nonempty subsets c of a such that c is a redex, c ^ b 
and cflfe ^ 0, we have > p(c). By construction, the set of maximal redexes of a set are pairwise 
disjoint. The maximal redexes strategy is the function that, given a priority function, maps elements 
a £ &(T) into the set of its maximal redexes. 

In addition to the definition of the relation operators presented here, our library includes formal proofs 
of properties related to determinism and compositionality for abstract set relations. In this paper, we will 
focus on determinism as this property is fundamental to the specification of synchronous relations in 
rewriting logic. 

Determinism A binary relation — > defined on a set T is said to be deterministic if for all a, a' and a" in 

T,a — ^ a' and a — > a" implies a' = a". 

Determinism is a stronger property than confluence, i.e., a deterministic relation is also confluent, 
but a confluent relation is not necessarily deterministic. 

Proposition 3.1 (Determinism of — > n , — ^ and A). If the relation — > is deterministic, then so are the 
relations — > n , — and A. 

In contrast, even if the relation — > is deterministic, the relations — >•*, —> and — ^ are not always 
deterministic. 



3.2 Executing Semantic Relations 

Executing the semantic relation of a programming language is desirable during the design phase of the 
language. In particular, it allows the designer of the features to experiment with different semantic 
variants of the language before implementing them. 

Rewrite systems are a computational way of defining binary relations. Since our formalism is based 
on set relations, we consider rewrite systems on an algebra of terms of type T modulo associativity, 
commutativity, identity, and idempotence: the basic axioms for the union of sets. We denote the equality 
on terms of this algebra by =acui- The relation — > defined by a rewrite system & is defined as follows. 

Relation denned by a rewrite system a^bif and only if there exists a rewrite rule / — > rinM and a 
substitution a such that a =acui &l an d b =acui Gr. 

We remark that the previous definition uses the substitution closure of the rewrite system, rather than 
the more traditional definition based on the congruence closure. For example, if we consider the rewrite 
system 

A(x) — > B(x), 

we have thatA(O) ->5(0) andA(l) ->5(1). On the other hand, A(0),A(1) is not a redex for -K 

The synchronous extension of a relation — > challenges the standard asynchronous interpretation of 
rew rite s ystems. Consider again the previous example. The asynchronous extension of — > defined in Sec- 
tion 3.1 which indeed encodes the congruence closure, relates A(0),A(1) ->fl(0),A(l) and A(0),A(l)-> 
A(0),B(1). However, it does not relate A(0),A(1) to fi(0),fi(l), which corresponds to the parallel reduc- 
tion of both A (0) and A ( 1 ) . In this particular case, we have that A (0) , A ( 1 ) A 5(0) , A (1 ) 4- B (0) , 5(1) . 

We remark that if a — > b, for a strategy s, then a— > b. However, in order to select the redexes to 
be reduced, we need additional machinery. In particular, we need to keep a log book of redexes that 
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need to be reduced and redexes that have been already reduced. We propose the following procedure to 
implement in an asynchronous rewrite engine, such as Maude, the synchronous extension of a relation 
for a strategy. 

Serialization procedure Let — > be a relation and s a strategy. Given a term a G 0*(T), we compute a 
term b as follows. 

1. Reduce the pair (\Js(a) ; 0) to a normal form (0 ; a'} using the following rewrite system: 

{a.i,c;d) — > {c;af,d), 

where a; — > a\. 

2. The term b is defined as (a \{Js(a)) Da'. 

Since a strategy is a set of redexes, and this set is finite, the procedure is well-defined, i.e., it always 
terminates and returns a term. However, the procedure is not necessarily deterministic. 

In our previous example, we want to apply the procedure to A(0),A(1),B(1) using the maximal 
redexes strategy max p (assuming that all terms have the same priority). Since max p ({A(0),A(l),fi(l)}) = 
{A(0),A(1)}, we have to reduce the pair (A(0),A(1) ; 0) to its normal form (0 ; fi(0),fi(l)). Then, 
we compute {A(0),A(1),B(1)} \ {A(0),A(1)} U {fl(0),fl(l)}, which is equal to B(0),B(1). We check 
thatA(0),A(l),B(l) 4fl(0),B(l). 

Theorem 3.2 (Correctness of serialization procedure). The serialization procedure is sound, i.e., if the 
procedure returns b from a, then a^rb. Furthermore, if—* is deterministic, the procedure is complete, 
i.e., if a A b then the procedure returns bfrom a. 

Proof. Soundness Assume that the procedure returns b = a \{Js(a) U a' from a. We have to prove that 
a—*b. Let s(a) = {a\ ,a n }, where a, C a, for 1 < i < n. From the definition of a strategy, the 
elements in s(a) are pairwise disjoint. Then, from the procedure, where a,- — > a-, 

for 1 < i < n. Let c C a be such that none of the subsets of c is in s(a). Then, a has the form a = 
a\, . . . ,a n ,c. Hence, b = a[, . . . ,a' n ,c. By definition of — >, we have that a[, . . . ,a n ,c ^ a[,. 



Completeness In this case, it suffices to note that by Proposition 3.1 if — > is deterministic, then — > is 
deterministic. Therefore, the normal form of (\Js(a) ; 0) is unique and the procedure returns a 
unique b = a \\Js(a) Da'. This b is the only term that is related to a in the relation 

□ 



4 Rewriting Logic Semantics of PLEXIL 

The framework presented in Section|3]is abstract with respect to the elements in the set T and the basic set 
relation — K If we consider that T is a set of PLEXIL nodes and — > is PLEXILs atomic relation, we can 



deduce by Proposition |3. 1| that, since PLEXILs atomic relation is deterministic [7] , PLEXILs micro 



and quiescence relations are deterministic as well. Therefore, we can use the serialization procedure 



presented in Section 3.2 to implement a sound and complete formal interpreter of PLEXIL in Maude. 

In this section, we describe in detail the specification of such an interpreter. We only discuss the 
atomic and micro relations since they are the most interesting ones for validating the synchronous se- 
mantics of PLEXIL. More precisely, we present the rewrite theory ^pxl = (£pxl,£pxl U Apxlj^pxl)> 
specifying the rewriting logic semantics for PLEXILs atomic and micro relations. We use the deter- 
minism property of PLEXILs atomic relation to encode it as the computation rules in £pxl because 
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it yields a confluent equational specification. Consequently, the serialization procedure for PLEXIL's 
synchronous semantics into rewriting logic can be defined equationally, thus avoiding the interleaving 
semantics associated with rewrite rules in Maude. Of course, due to the determinism property of the 
language, one can as well turn up the "abstraction dial" to its maximum by making the rewrite rules 
7?pxl into computational rules. This will result in a faster interpreter, for example. Nevertheless, we are 
interested in PLEXIL semantics at the observable level of the micro relation. Therefore, in the rewrite 
theory ^pxl,: (i) the equational theory (Zpxl,£pxl UApxl) defines the semantics of the atomic relation 
and specifies the serialization procedure for the synchronous semantics of PLEXIL, and (ii) the rewrite 
rules 7?pxl define the semantics of the micro relation. 

In this section we assume the reader is familiar with the syntax of Maude [5], which is very close to 
standard mathematical notation. 

4.1 PLEXIL Syntax 

A PLEXIL plan is a tree of nodes representing a hierarchical decomposition of tasks. The interior nodes 
in a plan provide the control structure and the leaf nodes represent primitive actions. The purpose of 
each node determines its type: List nodes group other nodes and provide scope for local variables, 
Assignment nodes assign values to variables (they also have a priority, which serves to solve race 
conditions between assignment nodes), Command nodes represent calls to commands, and Empty nodes 
do nothing. Each PLEXIL node has gate conditions and check conditions. The former specify when the 
node should start executing, when it should finish executing, when it should be repeated, and when it 
should be skipped. Check conditions specify flags to detect when node execution fails due to violations 
of pre-conditions, post-conditions, or invariants. Declared variables in nodes have lexical scope, that is, 
they are accessible to the node and all its descendants, but not siblings or ancestors. The execution status 
of a node is given by status such as Inactive, Waiting, Executing, etc. The execution state of a plan 
consists of (i) the external state corresponding to a set of environment variables accessed through lookups 
on environment variables, and (ii) the internal state which is a set of nodes and (declared) variables. 

Figure[T]illustrates with a simple example the standard syntax of PLEXIL. In this particular example, 
the plan tasks are represented by the root node Saf eDrive, the interior node Loop, and the leaf nodes 
DneMeter, TakePic and Counter. OneMeter and TakePic are, for example, nodes of type Command. 
The node Counter has two different conditions: Start is a gate condition constraining the execution 
of the assignment to start only when the node TakePic is in state Finished, while Pre is a check 
condition for the number of pictures to be less than 10. The internal state of the plan at a particular 
moment is represented by the set of all nodes of the plan, plus the value of the variable pictures, while 
the external state of the plan contains the (external) variable WheelStuck. 

The external state of a plan is defined in the functional module EXTERNAL-STATE-SYNTAX. The sort 
ExteraalState represents sets of elements of sort Pair, each of the form {name , value); we assume that 
the sorts Name and Value, specifying names and values, respectively, have been defined previously in 
the functional modules NAME and VALUE, respectively. 

fmod EXTERNAL-STATE-SYNTAX is 

protecting Name . protecting Value . 
sort Pair . 

op (_,_) : Name Value -> Pair . 
sort ExternalState . 
subsort Pair < ExternalState . 
op mtstate : -> ExternalState . 

op _,_ : ExternalState ExternalState -> ExternalState [assoc comm id: mtstate] . 
eq ES: ExternalState , ES: ExternalState = ES : ExternalState . 
endfm 
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List SafeDrive { 
int pictures = 0; 
End: 

LookupOnChange (WheelStuck) == true OR pictures == 10; 
List Loop { 
Repeat -while : 

LookupOnChange (WheelStuck) == false; 
Command OneMeter { 

Command: Drive (1); 

} 

Command TakePic { 

Start: OneMeter . status == FINISHED AND pictures < 10; 
Command: TakePicture () ; 

} 

Assignment Counter { 

Start: TakePic . status == FINISHED; 
Pre: pictures < 10; 

Assignment: pictures := pictures + 1; 

} 

} 

} 



Figure 1: SafeDrive: A PLEXIL Plan Example 

The internal state of a plan is represented with the help of Maude's built-in CONF module supporting 
object based programming. The internal state has the structure of a set made up of objects and messages, 
called configurations in Maude, where the objects represent the nodes and (declared) variables of a plan. 
Therefore, we can view the infrastructure of the internal state as a configuration built up by a binary 
set union operator with empty syntax, i.e., juxtaposition, as : Configuration x Configuration — > 
Configuration. The operator __ is declared to satisfy the structural laws of associativity and commuta- 
tivity and to have identity mtconf . Objects and messages are singleton set configurations and belong to 
subsorts Object, Msg < Configuration, so that more complex configurations are generated out of them 
by set union. An object, representing a node or a (declared) variable, in a given configuration is repre- 
sented as a term (O : C \ a\ : vi, . . . ,a n : v n ), where O is the object's name or identifier (of sort Oid), C is 
its class (of sort Cid), the a ; 's are the names of the object's attribute identifiers, and the v,'s are the cor- 
responding values. The set of all the attribute-value pairs of an object state (of sort Attribute) is formed 
by repeated application of the binary union operator _, _ which also obeys structural laws of associativity, 
commutativity, and identity, i.e., the order of the attribute- value pairs of an object is immaterial. The 
internal state of a plan is defined in the functional module INTERNAL-STATE-SYNTAX by extending the 
sort Configuration; the sorts Exp and Qualified, which we assume to be defined, are used to specify 
expressions and qualified names, respectively. 

fmod INTERNAL-STATE-SYNTAX is 

extending CONFIGURATION . protecting EXP . 
protecting QUALIFIED . 

subsort Qualified < Oid . Qualified elements are object identifiers 

ops List Command Assignment Empty : -> Cid . Types of nodes 

sort Status . 

ops Inactive Waiting Executing Finishing Failing Finished IterationEnded Variable : -> ExecState . 
sort Outcome . 

ops None Success Failure : -> Outcome . 

op status: : Status -> Attribute . Status of execution 

op outcome: : Outcome -> Attribute . Outcome of execution 

ops start: skip: repeat: end: : Exp -> Attribute . Gate conditions 



86 



Rewriting Logic Semantics of a Plan Execution Language 



ops pre: post: inv: : Exp -> Attribute 
op command: : Exp -> Attribute . 
op assignment: : Exp -> Attribute . 
ops initval actval: Exp -> Attribute . 

endfm 

Using the infrastructure in INTERNAL-STATE-SYNTAX, the internal state of SafeDrive in Figure [T] is 
represented by the configuration in Figure [2] Observe that the sort Qualified provides qualified names 
by means of the operator _._ : Qualified x Qualified — > Qualified, which we use to maintain the hier- 
archical structure of the plans. The dots at the end of each object represent the object's attributes that 
are not explicitly defined by the plan but that are always present in each node such as the status or the 
outcome. There is a "compilation procedure" from PLEXIL plans to their corresponding representation 
in Maude, that we do not discuss in this paper, which includes all implicit elements of a node as attributes 
of the object representation of the node. 



< SafeDrive : List I end: LookupOnChange(WheelStuck) == true OR pictures == 10, ... > 

< Loop . SafeDrive : List I repeat: LookupOnChange (WheelStuck) == false , ... > 

< OneMetter . Loop . SafeDrive : Command I command: Drive(l) , ... > 

< TakePic . Loop . SafeDrive : Command I start: OneMeter . Status == Finished and pictures < 10, 
command: TakePicture () , ... > 

< Counter . Loop . SafeDrive : Assignment I pre: pictures < 10, 
assignment: pictures := pictures +1, ... > 

< pictures . SafeDrive : Memory I initval: 0, actval: > 



Figure 2: SafeDrive in Mpxl 

We are now ready to define the sort State representing the execution state of the plans in the func- 
tional module STATE-SYNTAX, by importing the syntax of external and internal states: 

fmod STATE-SYNTAX is 

pr EXTERNAL-STATE-SYNTAX . 
pr INTERNAL-STATE-SYNTAX . 
sort State . 

op _|-_ : ExternalState Configuration -> State . 
endfm 

We adopt the syntax T h 71 to represent the execution state of the plans, where F and n are the external 
and internal states, respectively. 

4.2 PLEXIL Semantics 

PLEXIL execution is driven by external events. The set of events includes events related to lookup in 
conditions, e.g., changes in the value of an external state that affects a gate condition, acknowledgments 
that a command has been initialized, reception of a value returned by a command, etc. We focus on the 
execution semantics of PLEXIL specified in terms of node states and transitions between node states 
that are triggered by condition changes (atomic relation) and its synchronous closure under the maximal 
redexes strategy (micro relation). PLEXIL's atomic relation consists of 42 rules, indexed by the type and 
the execution status of nodes into a dozen groups. Each group associates a priority to its set of rules 
which defines a linear order on the set of rules. 

The atomic relation is defined by (T,7i) h P — > a P', where P C %. For instance, the four atomic 
rules corresponding to the transitions from Executing for nodes of type Assignment are depicted in 



Check conditions 

Command of a command node 

Assignment of an assignment node 

Initial and actual values of a variable node 
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Figure [3] Rule r-i updates the status and the outcome of node A to the values IterationEnded and 
Success, respectively, and the variable x to the value v, i.e., the value of the expression e in the state %, 
whenever the expressions associated with the gate condition End and the check condition Post of node A 
both evaluate to true in %. In rule r\ , Anclnv (A) is a predicate, parametric in the name of nodes, stating 
that none of the ancestors of A has changed the value associated with its invariant condition to false. 
The value _L represents the special value "Unknown". We use (T, %) h e ~> v to denote that expression e 
evaluates to value v in state r h %\ by abuse of notation, we write (T, %) h e v to denote that expression 
e does not evaluate to value v in (T, %). 



(r, 7t) h AncInv(A) ~> false A. body = x := e 
A. type = Assignment A. status = Executing 



(r, it) h Node A — > u Node A with [status = Finished, outcome = Failure, x = _L] 



(r, 7t) h A. Invariant f alse A. body = x := e 

A. type = Assignment A. status = Executing 

r 2 

(r, n) h Node A — > a Node A with [status = IterationEnded, outcome = Failure , x = _L] 

(r, 7t) h A.End^-> true A. body = x := e 
(r, n) h A.Post ~» true (r, it) h e ~* v 
A. type = Assignment A. status = Executing 



(r, %) h Node A — > a Node A with [status = IterationEnded, outcome = Success, x = v] 

(r, It) h A. End ~> true (r, 7t) h A.Post 7^ true 
A. type = Assignment A. status = Executing 



(r, 7t) h Node A — ^, Node A with [status = IterationEnded, outcome = Failure 

{r 4 < n < r 2 < n} 



>'4 



Figure 3: Atomic rules corresponding to the transitions from Executing for nodes of type Assignment 

The relation r < s between the labels of two different rules specifies that the rule r is only applied 
when the second rule s cannot be applied. That is, the binary relation on rules defines the order of their 
application when deriving atomic transitions. So, a rule r can be used to derive an atomic transition if 
all its premises are valid and no rule higher than r (in its group) is applicable. In the case of PLEXIL's 
atomic relation, the binary relation < on rules is a linear ordering. This linearity is key to the determinism 
of PLEXIL (see (gj). 

The micro relation T h 71 — > m %' , the synchronous closure of the atomic relation under the maximal 
redexes strategy, is defined as: 

(r,7r)hA -^ a p[ 
(r,K)hP n ^ a p^ 



Micro 



T\-n^ m (n\ |J Pi) U U Pi 

\<i<n l<i<n 

where M % = {Pi, . . . ,P„} is the set of nodes and variables in % that are affected by the micro relation. 
If two different processes in n, say A and B, write to the same variable, only the update of the pro- 
cess with higher priority is considered (assignment nodes have an associated priority always), e.g., A if 
A. priority > B. priority, B if B. priority > A. priority, and none otherwise. 
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In order to specify the PLEXIL semantics in Maude, we first define the infrastructure for the serial- 
ization procedure in the functional module SERIALIZATION-INFRASTRUCTURE. 



fmod SERIALIZATION-INFRASTRUCTURE is 
inc STATE-SYNTAX . 



op [_:_!_] : Oid Cid AttributeSet -> Object . New syntactic sugar for objects 

op updateStatus 

op updateOutcome 

op updateVariable : Qualified Value -> Msg . Update variable message 



Qualified Status -> Msg . Update status message 

Qualified Outcome -> Msg . Update outcome message 



ops applyUpdates unprime : State -> State . Application of updates and 'unpriming' 

var r : ExternalState . var % : InternalState . var A : Oid . var C : Cid . 
var Att : AttributeSet . vars S S' : Status . var St : State . 

eq applyUpdates ( T h [ A : C I status: S , Att ] updateStatus (A , S') TC ) 
= applyUpdates ( T h [ A : C I status: S' , Att ] % ) . 

eq applyUpdates (St) = St [owise] . 

eq unprime ( T h [ A : C I Att ] % ) = unprime ( T h < A : C I Att > TC ) . 
eq unprime (St) = St [owise] . 
endfm 

Following the idea of the serialization procedure, we distinguish between unprimed and primed 
redexes by using syntactic sugar for denoting objects in the Maude specification: unprimed redexes 
are identified with the already defined syntax for objects in the form of (O : C | ...) and primed re- 
dexes are identified with the new syntax for objects in the form of [O : C \ ...]. We use messages, 
i.e., elements in the sort Msg, to denote the update actions associated with the reduction rules for 
the atomic relation; we accumulate these messages in the internal state of the execution state of the 
plans, i.e., we also use the internal state in the spirit of the log book of the serialization procedure. 
For example, the configuration updateStatus (A, IterationEnded) updateOutcome (A, Success) 
updateVariable (x,v) corresponds to the update actions in the conclusion of rule r-^ in Figure [3] The 
functions applyUpdates and unprimes apply all the collected updates in the internal state, and "un- 
primes" the "primed" nodes, respectively. In the specification above, it is shown how the status of a node 
is updated and how primed nodes become unprimed. 

We give the equational serialization procedure in the general setting in which we consider a linear 
ordering on the rules. 

Equational serialization procedure (with priorities) Let 



{r,- : (r, 7r) h Node A — > u Node A with [updates^] // Ci}i< ; -< n 

be the collection of atomic rules (in horizontal notation) defining the transition relation for nodes of 
type T in status S, with r n < ■ ■ ■ < r,- < • ■ ■ < r\, where updatesi is the set of update actions (the 
order in the update actions is irrelevant) in the conclusion of r, and Ci is the set of premises of r,. The 
equational serialization procedure is given by the following set of equations, in Maude notation, defining 
the function symbol, say, r: 

var r : ExternalState . var A : Oid . var S : Status . 

var TC : Configuration . var T : Cid . var Attr : AttributeSet . 

op r : State -> State . 

eq r( T h < A : T I status: S , Attr > TC ) 
= if C] == true then r( Y h [ A : T I status: S , Attr ] messages (updates] ) % ) 
else if C2 == true 

... else if C„ == true then r( Y h [ A : T I status: S , Attr ] messages (updates,,) n ) 
else r( T h [ A : T I status: S , Attr ] % ) fi 

f i . . . 

fi . 

eq r(rhl)=rhl [owise] . 
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where messages(updadatesi) represents the message configuration associated with the update actions 
in the conclusion of rule r,-. 

The equational serialization procedure defines a fresh function symbol, say, r : State — > State. The 
first equation for r tries to apply the atomic rules in the given order, by first evaluating the condition 
and then marking the affected node. If the condition evaluates to true, then update messages are gener- 
ated. The second equation, removes the function symbol r when there aren't any more possible atomic 
reductions with the rules {r/}. 

The atomic relation is defined in the functional module ATOMIC-RELATION by instantiating the equa- 
tional serialization procedure for each one of the twelve groups of atomic rules with a different function 
symbol for each one. 

Finally, the micro relation is defined by the rule micro in the system module PLEXIL-RLS, which 
materializes the rewrite theory i^pxL in Maude: 

mod PLEXIL-RLS is 

pr ATOMIC-RELATION . 

pr SERIALIZATION-INFRASTRUCTURE . 

rl [micro] : Y h n => Y h unprime (applyUpdates (ai ( . . . ai2 ( Y h % )...))) . 
endm 

where a! , . . . , a 12 are the function symbols in ATOMIC-RELATION defining the serialization procedure 
for each one of the twelve groups of rules. 

5 Preliminary Results 

We have used ^pxl to validate the semantics of PLEXIL against a wide variety of plan examples. We 
report on the following two issues of the original PLEXIL semantics that were discovered with the help 

of^ PXL : 

1. Non-atomicity of the atomic relation. A prior version of the atomic rules rj and rn, for Assignment 
nodes in state Executing, presented in Figure [3} introduced an undesired interleaving semantics 
for variable assignments, which invalidated the synchronous nature of the language. 

2. Spurious non-termination of plans. Due to lack of detail in the original specification of some 
predicates, there were cases in which some transitions for List nodes in state IterationEnded 
would lead to spurious infinite loops. 

Although the formal operational semantics of PLEXIL in [ 8 ] has been used to prove several prop- 
erties of PLEXIL, neither one of the issues was previously found. As as matter of fact, these issues do 
not compromise any of the proven properties of the language. Solutions to both issues were provided 
by the authors, and have been adopted in the latest version of the formal PLEXIL semantics. We are 
currently using &?xl as the formal interpreter of PLEXIL 's Formal Interactive Visual Environment fl5) 
(PLEXIL5), a prototype graphical environment that enables step-by-step execution of plans for scripted 
sequence of external events, for further validation of the language's intended semantics. 

We have also developed a variant of iipxL in which the serialization procedure was implemented 
with rewrite rules, instead of equations, and rewrite strategies. In general, ^pxl outperforms that variant 
by two orders of magnitude on average, and by three orders of magnitude in some extreme cases. 

The rewrite theory i^pxL has approximately 1000 lines of code, of which 308 lines correspond to the 
module ATOMIC-RELATION. The rest corresponds to the syntax and infrastructure specifications. 
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6 Related Work and Conclusion 

Rewriting logic has been used previously as a testbed for specifying and animating the semantics of 
synchronous languages. M. AlTurki and J. Meseguer [ 1] have studied the rewriting logic semantics of 



the language Ore, which includes a synchronous reduction relation. T. Serbanuta et ol. [17] define the 
execution of P-systems with structured data with continuations. The focus of the former is to use rewrit- 
ing logic to study the (mainly) non-deterministic behavior of Ore programs, while the focus of the latter 
is to study the relationship between P-systems and the existing continuation framework for enriching 
each with the strong features of the other. Our approach is based more on exploiting the determinism of 
a synchronous relation to tackle the problem associated with the interleaving semantics of concurrency 
in rewriting logic. P. Lucanu fTOj studies the problem of the interleaving semantics of concurrency in 
rewriting logic for synchronous systems from the perspective of P-systems. The determinism property 
of the synchronous language Esterel [2] was formally proven by O. Tardieu in JT8J. 

We have presented a rewriting logic semantics of PLEXIL, a synchronous plan execution language 
developed by NASA to support autonomous spacecraft operations. The rewriting logic specification, a 
formal interpreter and a semantic benchmark for validating the semantics of the language, relies on the 
determinism of PLEXIL's atomic relation and a serialization procedure that enables the specification of 
a synchronous relation in an asynchronous computational model. Two issues in the original design of 
PLEXIL were found with the help of the rewriting logic specification of the language: (i) there was an 
atomic rule with the potential to violate the atomicity of the atomic relation, thus voiding the synchronous 
nature of the language, and (ii) a set of rules introducing spurious non-terminating executions of plans. 
We proposed solutions to these issues that were integrated into the current semantics of the language. 

Although we have focused on PLEXIL, the formal framework that we have developed is presented 
in a general setting of abstract set relations. In particular, we think that this framework can be applied 
to other deterministic synchronous languages. To the best of our knowledge there was no mechanized 
library of abstract set relations suitable for the definition and verification of synchronous relations; nei- 
ther was there a soundness and completeness proof of a serialization procedure for the simulation of 
synchronous relations by rewrite systems. 

To summarize, we view this work as (i) a step forward in bringing the use of formal methods closer 
to practice, (ii) a contribution to the modular and mechanized study of semantic relations, and (iii) yet 
another, but interesting contribution to the rewriting logic semantics project. 

We intend to continue our collaborative work with PLEXIL development team with the goal of ar- 
riving at a formal environment for the validation of PLEXIL. Such an environment would provide a 
rich formal tool to PLEXIL enthusiasts for the experimentation, analysis and verification of PLEXIL 
programs, which could then be extended towards a rewriting-based PLEXIL implementation with as- 
sociated analysis tools. Part of our future work is also to investigate the modularity of the equational 
serialization procedure with prioritized rules. 
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